Ansible VaultJuly 22, 2021 | Cluster
Often times it comes in handy to encrypt data, that are used for automation. Sensitive data like passwords and other credidentials for infrastructure should be handled with a certain amount of precaution.
Ansible vault is an encrypted storage to Ansible, even though it is also possible to intergrate Ansible with different kinds of password managers as ex. "pass" and others.
So, lets say you have a couple of passwords that you need to use form time to time. You could make a file like "my_secrets.enc":
pass_server1: SuperSecretPassword1 pass_server2: SuperSecretPassword2
Then you will encrypt the file:
ansible-vault encrypt my_secrets.enc
After encryption the file would look something like this:
$ANSIBLE_VAULT;1.1;AES256 33376131653438353365663139303837343463316334636138396234313032653362343061313231 6233333430653466656361666462613865313435633830390a356232623933646466663966346433 34396636643631623136643464356332366330646632653263356333356266653462313930383534 6535333030313061350a383863623734353733316431336630303463613130663033306138336534 32396635323561653432373634306561373630363464383132343333626139646261303336383335 32323738653863626230626437306533386365373162623038636332626237363032393666366136 303065336236393536336431363265323738
Now, when running your playbook, you have to point (-e) to you new encrypted file with your passwords. In the following example the my_secrets.enc is located in a directory called "vault" (but, it can be created anywhere):
ansible-playbook -e @vault/my_secrets.enc --ask-vault-pass playbooks/my_playbook.yaml
Alternatively you can also create a new encrypted vault file with the create command:
ansible-vault create --vault-id @prompt secret.yml
Edit the secret file
You can either decrypt edit and encrypt, or you could use Ansible vault edit command:
# This will open Vim and make the file ready for editing. ansible-vault edit my_secrets.enc # or you could decrypt the file, and then edit it with another editor ansible-vault decrypt my_secrets.enc # and remember to encrypt it afterwards ansible-vault encrypt my_secrets.enc